| 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153 |
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
24×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
2×
| /**
* @file config.js
* @desc Reads config.ini files
*/
'use strict';
var _ = require('lodash'),
fs = require('fs'),
logger = require(__dirname + '/loggers/logger'),
configReader = require(__dirname + '/../pnr-common/lib/node/configReader'),
exec = require('child_process').exec;
/**
* @function config
* @desc Return application config object
*
* @param {boolean} force reload of config
*
* @returns {object}
*/
var config = (function() {
var pnrConfig = configReader([ '/etc/pnr/local_config.ini',
'/etc/pnr/runtime_config.ini',
'/etc/pnr/launch_config.ini',
'/etc/pnr/default.ini',
__dirname + '/../config/config.ini']);
var safeviewHome = pnrConfig.pnr_enforcement.safeview_home;
Iif (!safeviewHome) {
safeviewHome = '/opt/safeview';
}
Iif (pnrConfig.pnr_enforcement.mode === 'pnr') {
pnrConfig.runtimeContext = 'pnr';
logger.info('PNR Enforcement mode set to "pnr"...ignoring safeview config');
return pnrConfig;
}
var safeviewIni = safeviewHome + '/service/conf/safeview.ini';
Iif (!fs.existsSync(safeviewIni)) {
logger.error('Mode expects safeview config, but cannot find config files..' +
'running in pnr mode');
pnrConfig.runtimeContext = 'pnr';
return pnrConfig;
}
// we can still run in safeview only mode if mode is set to safeview
Eif (pnrConfig.pnr_enforcement.mode === 'dual') {
pnrConfig.runtimeContext = 'dual';
} else {
pnrConfig.runtimeContext = 'safeview';
}
logger.info('Found ' + safeviewIni + ' file');
logger.info('PNR Enforcement mode is set to "' + pnrConfig.runtimeContext + '"');
// Note: in dual mode, the safeview configuration takes precedence over the pnr
// configuration attributes. For example, the safeview redis is preferred
// over pnr's.
// The list of ini files and order of the files are available in
// safeview repo - 'safeview/lib/safly/config.py'
var svConfig = configReader(['/etc/safeview/conf/build.ini',
'/etc/menlo/conf/safeview_runtime.ini',
'/etc/safeview/conf/safeview_instance.ini',
'/run/safeview/conf/safeview_mode.ini',
'/run/safeview/conf/safeview_deployment.ini',
safeviewIni]);
Iif (!svConfig) {
logger.warn('Error loading safeview configs.');
return pnrConfig;
}
//Running in Safeview context
var svPnrConfig = svConfig['policy-enforcement-server'];
var svPnrRedis = svConfig.reporting;
var keysToCopy = ['policy_server_hostname', 'druid_logging_hostname',
'druid_tunnel_hostname', 'druid_user', 'druid_key',
'zookeeper_tunnel_hostname', 'zookeeper_user',
'zookeeper_key', 'zookeeper_port', 'pnr_runtime_config',
'kafka_port', 'local_config_path'];
// Needed for content inspection
_.assign(pnrConfig.safefile, svConfig.safefile);
// Needed for sandbox content inspection - specifically the license_string
Iif (!pnrConfig.dashboard) {
pnrConfig.dashboard = {};
}
_.assign(pnrConfig.dashboard, svConfig.dashboard);
pnrConfig.forensic = svConfig.forensic;
Eif (svConfig && pnrConfig.system_settings.deployment === 'on_prem') {
pnrConfig.authentication = svConfig.authentication && {
saml_enabled: svConfig.authentication.saml_enabled,
saml_enabled_readonly: svConfig.authentication.saml_enabled_readonly
};
}
Eif (svPnrConfig && svPnrRedis) {
var pnrNet = pnrConfig.networking;
pnrNet.pnr_enforcement_host = svPnrConfig.host;
pnrNet.pnr_enforcement_port = svPnrConfig.port;
_.forEach(keysToCopy, function (key) {
pnrNet[key] = svPnrConfig[key];
});
pnrConfig.system_settings.s3_path = svPnrConfig.s3_path;
pnrConfig.internal = svConfig.internal;
pnrConfig.system_config.timezone = svConfig.system_config.timezone;
pnrConfig['redis-sv'] = svConfig['redis-sv'];
pnrConfig['redis-sentinel'] = svConfig['redis-sentinel'];
pnrNet.local_redis_host = svPnrRedis.redis_server_hostname;
pnrNet.redis_port = svPnrRedis.redis_server_port;
pnrNet.redis_password = svPnrRedis.redis_server_password;
pnrNet.syslog_port = svConfig.reporting.session_syslog_port;
pnrNet.syslog_host = svConfig.reporting.session_syslog_host;
pnrNet.syslog_protocol = svConfig.reporting.session_syslog_protocol;
pnrNet.syslog_format = svConfig.reporting.session_syslog_format;
Eif (pnrConfig.system_settings.deployment === 'on_prem') {
// These settings are controlled by CMR in on-prem deployments, and are
// stored in safeview_runtime.ini
pnrNet.policy_server_enabled = svConfig.networking.policy_server_enabled;
pnrNet.policy_server_hostname = svConfig.networking.policy_server_hostname;
pnrNet.policy_server_port = svConfig.networking.policy_server_port;
pnrNet.verify_policy_server_cert = svConfig.networking.verify_policy_server_cert;
pnrConfig.pnr_policy.root_secret = svConfig.pnr_policy.root_secret;
Eif (svConfig.fluentd) {
pnrConfig.fluentd.enabled = !!svConfig.fluentd.enabled;
}
}
}
// NOTE: dmidecode requires root privilege, this needs to be addressed for PNR-1462
exec('dmidecode -s system-uuid', function(error, stdout) {
Iif (error) {
logger.error('Error getting system uuid', error);
return;
}
pnrConfig.system_uuid = stdout.trim();
});
return pnrConfig;
})();
module.exports = config;
|